Sunday, December 4, 2016

If we want
to safeguard our data from theft or protect our privacy, encryption
is the most feasible option. It converts our sensitive data to
something that can be read only by authorized people.

Nowadays, there
are many encryption solutions available and we get many options while
encrypting our data. Some of them use symmetric key encryption and
some use public key encryption. But, what are symmetric key
encryption and public key encryption actually? How do they work and
how are they different from each other? In this article we would
discuss about that.

What
is Encryption ?

Encryption
is a process which takes as input a plaintext message and converts it
into an encoded message called ciphertext, such that only authorized
people can read it. And, decryption is the opposite process. It takes
as input a ciphertext message and converts it back into the original
plaintext message. These encryption and decryption processes take
help of secret keys to perform these actions. The secret key used in
encryption process is called an encryption key and the secret key
used in the decryption process is called the decryption key.

What
is Symmetric Key Encryption ?

As said
above, encryption and decryption processes take help of encryption
key and decryption key respectively to encrypt or decrypt data.
symmetric key encryption is an encryption process in which the same
secret key is used during both encryption and decryption. We call the
secret key symmetric key. So, if we encrypt a file using a symmetric
key encryption using a secret key, we would have to use the same
secret key at the time of decryption also.

This
symmetric key encryption can use either stream ciphers or block
ciphers.

Stream
Ciphers

In stream
ciphers, each plaintext digits is taken one by one from the plaintext
message and encrypted using a keystream. A keystream is basically a
stream of pseudo random characters used as keys. At the time of
encryption, each plaintext digit is taken one by one and is encrypted
with corresponding digit of the keystream.

This stream
cipher can be of two types:

Synchronous
Stream Cipher

Asynchronous
Stream Cipher

In
synchronous stream cipher, the keystream does not depend on
the plaintext or the ciphertext message. It is generated
independently.

In case of synchronous stream ciphers, the sender
and the receiver of the encrypted message must be in the same step
for the decryption to be successful. If a digit is added or removed
at the time of transmission, the synchronization will be lost. In
practical implementation though various methods are used to restore
the synchronization, if it gets lost.

In
asynchronous stream cipher, N number of previous ciphertext
digits are used to compute the keystream. This N can vary with the
implementation. In asynchronous stream cipher, the receiver of the
ciphertext message can automatically synchronize with the keystream
generator after receiving N ciphertext digits, which makes it easier
to recover if digits are added or lost at the time of transmission.

Because of
their speed and simplicity of implementation in hardware, stream
ciphers are often used. RC4, A5/1, A5/2, FISH, Helix, ISAAC etc are a
few stream ciphers that are commonly used in many software.

Block
Ciphers

In block
ciphers, the input plaintext message is divided into a number of
blocks of some fixed length and each block is then encrypted with the
help of symmetric key.

If a
message produces the same ciphertext message each time it is
encrypted with a symmetric key, then the encryption process is
supposed to be weak. Because in that case, the attacker can observe
the bit patterns in the ciphertext message and guess the plaintext
message. So, an Initialization Vector is often used for that purpose. An Initialization Vector is basically a pseudorandom value which is used along with the
symmetric key at the time of encryption. It can randomize the
plaintext message, so that the same plaintext message produces
different ciphertext messages each time it is encrypted even with the
same symmetric key.

Block
ciphers are widely used in many software. Data Encryption Standard or
DES, RC5, Advanced Encryption Standard or AES, Blowfish are some
examples of block ciphers.

What
is Public Key Encryption ?

As
discussed already, symmetric key encryption uses the same secret key
at the time of encryption and decryption of data. But, this may be
inconvenient at times. For example, if two users want to transfer
some encrypted message between them over the internet using symmetric
key encryption, they would need to share the secret key with each
other. And, this may not be possible all the time. And, to address
that public key encryption is used.

Public key
encryption is an encryption process in which two different keys are
used at the time of encryption and decryption. Typically, one key is
used at the time of encryption and the other one is used at the time
of decryption. These are called private key and public key.

Each user
who wants to use public key encryption has to create a keypair
consisting of a public key and a private key. The private key must be
kept secret with the user and the public key can be distributed with
others who want encrypted communication with the user.

If a
plaintext message is encrypted with the private key, it can be
decrypted with the public key. And, if it is encrypted with the
public key, it can be decrypted with the private key. And, this makes
public key encryption much convenient to be used in encryption,
decryption and in making digital signatures.

If Alice
wants to send an encrypted message to Bob, she would need to encrypt
the message using Bob’s public key. Bob can decrypt the message
using his private key and read. As the private key is kept secret to
Bob, only Bob would be able to decrypt the message and read.

But, at the
same time, Bob may need to make sure the encrypted message is sent by
Alice only and not by anyone else using Bob’s distributed public
key. Digital Signatures are used for that purpose. Alice can make a
digital signature of the message using her private key and send it to
Bob along with the original encrypted message. Bob can verify the
digital signature using Alice’s public key. As no one else knows
Alice’s private key, Bob can be sure that Alice only has sent the
encrypted message.

Thus,
public key encryption can be used conveniently for encryption,
decryption and digital signatures. DSA, RSA, PGP use public key
encryption. PGP though can use both symmetric key encryption and
public key encryption depending on the application.

Saturday, December 3, 2016

We often
use a combination of username and password to authenticate ourselves.
But, this is not secure enough. We often get to hear about data
breaches using weak passwords or password reuse. We are also aware of
malware like keyloggers that can steal passwords of users. And, a
feasible way to address that problem is to use 2 Factor
Authentication.

What
is 2 Factor Authentication ?

We often
use several pieces of information to prove our identity at the time
of authentication, such that no unauthorized person can know the
information. These are called factors of authentication. For example,
a password, a PIN, a security question etc are authentication
factors.

There are
mainly three types of factors that are commonly used for the purpose
of authentication.

Knowledge
Factor

Possession
Factor

Inherence
Factor

Knowledge
Factor

A knowledge
factor refers to a piece of information that the user only knows. For
example, a password or a PIN is considered to be a knowledge factor.
A security question is also a knowledge factor, though it is
considered to be a weak factor. An attacker can do enough research on
the victim and find the information used.

Possession
Factor

A
possession factor refers to something that the user has. A hardware
token used at the time of authentication can be considered to be a
possession factor. Authentication using ATM card is also a good
example of possession factor. As anyone without physically possessing
the possession factor cannot authenticate, authentication using
possession factor is considered to be quite secure. But, it may prove
to be inconvenient at times as the user always has to keep the
possession factor along with him in order to authenticate himself.

Inherence
Factor

Inherence
factor refers to something that is an essential characteristic of the
user. Authentication using biometrics like fingerprints, iris or
voice can be a good example of inherence factor. This method of
authentication is supposed to be quite secure.

Any
authentication process that uses only one of the above factors is
called a single factor authentication. A multifactor
authentication is an authentication process that uses more than
one of the above factors. And, a 2 Factor Authentication or 2FA
is authentication using two of the above three factors.

Authentication
using ATM card and PIN is a good example of 2FA. Here, the ATM card
is the possession factor and the PIN is the knowledge factor.
Authentication using password and One Time Password (OTP) sent to the
user’s mobile phone is also an example of 2FA. Here, the password
is the knowledge factor and the user’s mobile is the possession
factor.

How
secure is 2 Factor Authentication using OTP sent to mobile phones ?

Many
websites use 2FA using password and an OTP or One Time Password that
is sent to the mobile phone of the user at the time of
authentication. This can be considered as 2FA, though it does not
provide very strong security. Attackers can infect the user’s
mobile phone with malware or perpetrate a Man-In-The-Middle Attack to
steal the OTP from the user’s mobile phone and authenticate to the
system without physically possessing the mobile phone. 2FA using a
hardware token instead is considered to be more secure.

Another
option that users can use for 2FA is using Google Authenticator. In
this method, the user has to install the Google Authenticator
application in his mobile phone and do some setup beforehead. Later,
when the user wants to authenticate to any website, he has to run the
application. The application will show a 6 digit code and sends the
same code to the website at the same time. The website then asks the
user to enter the 6 digit code and verifies it with the sent code. As
the website has to provide a shared secret key to the user to store
it in the application at the time of setup, an attacker will need to
get the shared secret key or physically possess the mobile phone to
be able to authenticate to the account.

Thus, 2
Factor Authentication using mobile phones does not provide very
strong security. But, surely it is more secure than using single
factor authentication and more convenient than using a hardware
token.

Nowadays,
many website provide the option of using 2FA. Users should enable it
wherever possible to secure the account in a better way.

Friday, December 2, 2016

We often
hear the term “social engineering”. It is a technique commonly
used by the attackers to spread malware or steal sensitive data from
the victims. What is this social engineering actually? How do
attackers use this for malicious purposes and how can we safeguard
ourselves? In this article we would discuss about that.

What
is Social Engineering ?

Sometimes
we think in certain ways that deviates from being rational or showing
good judgment. These are called cognitive biases. These cognitive
biases are often maliciously exploited by the attackers in
perpetrating cyber crimes. Social engineering is a technique based on
these cognitive biases of common people.

Social
engineering refers to the psychological manipulation of people with
the purpose of deceiving them in performing malicious actions like
installing a malware or divulging sensitive information, which
otherwise the victims would not be doing.

Types
of Social Engineering

There are
several types of social engineering.

Pretexting

In
pretexting, criminals create an imaginary scenario to convince a user
to divulge sensitive information or perform other actions that solve
the malicious purposes of the attackers. The attackers often do this
by researching and exploiting the information to impersonate a
legitimate authority and deceiving the user. A very good example can
be impersonating a tax authority and deceiving a victim in divulging
sensitive information. Another example may be, impersonating a
coworker who has some urgent problem and requires access to
additional network resources.

Baiting

Baiting is
like a real world Trojan Horse. Attackers use some physical media to
lure the victims and exploit the curiosity or greed of the victims to
victimize them. A very good example can be to leave a
malware-infected USB drive in public places and wait for victims. If
a victim, out of curiosity takes the USB drive and inserts it into
his computer, his computer will be infected with malware and give
access of that to the attackers.

Quid
Pro Quo

In this
technique, attackers lure the victims in divulging sensitive
information in return of something very cheap. A good example can be,
offering icecreams or chocolates to young people to make them divulge
their sensitive passwords.

Scareware

Scareware
involves scaring the victim into thinking that his computer has some
technical problem or the computer is infected with some malware, that
needs immediate removal. This technique is often used by the
attackers to trick users in installing rogue anti-malware, that
itself installs malware in the computer.

Phishing

Phishing is
a technique widely used by the attackers to deceive victims into
divulging sensitive information or installing malware in their
computers. The attackers typically sends an email purportedly from a
legitimate authority and requests to verify some details by clicking
on a link or by opening a malicious attachment. The attackers
typically use threats and creates a sense of urgency to the users, so
that users get worried and fall victims.

Vishing

In this
technique, the attackers use a rogue Interactive Voice Response or
IVR system to recreate a legitimate-sounding copy of a bank or other
legitimate authority and use that for phishing. Attackers often send
the victims some legitimate looking numbers to verify some details
and when the victims make a call, they are deceived to divulge
passwords, PINs or other sensitive information. In some cases, the
attackers ask the victims to login using the IVR and reject the
credentials continually, so that the victims type in the credentials
multiple times or are are tricked to type in multiple passwords.

Techniques used in Social Engineering

Attackers
can use several methods in social engineering.

Email
from a friend

Attackers
can spoof email address of a friend or relative and send a phishing
email to the user. As the email contains email address of a friend or
relative, it becomes more difficult for the victims to detect such
scams.

Containing
a link

Attackers
often send emails containing a link that points to some malicious
website. The website may spread malware or it may be a clone of a
legitimate website that is used by the attackers to trick users in
divulging sensitive information.

Containing
attachment

Attackers
often send an email requesting the victim to verify some details by
opening a malicious attachment and when the attachment is opened, the
computer gets infected with malware.

Urgently
asking for help

Attackers
can send emails urgently asking for help. They may talk about an
imaginary situation and ask the victim to send money to the sender.

Asking
for donation

Attackers
may send emails asking for donation for their charitable fundraiser
and instruct the victim how to send money.

Asking
to verify some information

Attackers
may send some malicious attachment and trick the user in opening it
by requesting to verify some information. The attackers often create
a sense of urgency through the email to increase the probability that
the email will be opened by the victim.

Notifying
you are a winner

Attackers
may send an email claiming to be from a lottery, a dead relative or
some other wealthy person who wants to transfer money to the victim’s
bank account and thus trick the victim in clicking a link or
attachment or divulging sensitive personal information.

Example of Social Engineering

Amazon Phishing
Scam

This scam
appeared in January, 2017. In this scam, a victim typically gets an
SMS as mentioned below:

Order Confirmation
(#101-2341765-1192723)

Order total: 70$

If you did not
authorize this purchase, click http://bit.ly/amazon-refund to Cancel
and Refund.

As usual the link
points to some fraudulent website that looks quite identical to
Amazon website and asks for sensitive credentials from the victim.
The fake website even asks for entering credit card numbers to the
victims. No doubt on providing such sensitive details the victims’s
Amazon account as well as financial details get compromised.

However, if you look
carefully, you can notice some pointers that indicate the SMS is not
legitimate.

It should
have been written as $70 and not 70$. A legitimate communication
should not have this mistake.

It is
unlikely that Amazon will send a link using such URL shortening
service.

This is a good example of a scam using Social Engineering. However, if a user
gets any such unexpected text, the best way to deal with it would be
not to visit the provided link, but to login in legitimate Amazon
website and verify the active orders. The user can also call the
Amazon customer care and clarify.

Social Engineering Prevention

We can
always take a couple of steps to protect ourselves in a better way:

If
an email gives a sense of urgency to click on a link, open an
attachment or reveal any sensitive information, slow down and think
twice to perform any action that the sender wants you to do.

If
an email looks suspicious, spend some time to research the facts.
Sometimes some simple google searches help us a lot in preventing
problems.

Delete
emails that request to divulge credentials or other sensitive
information. They are surely scams.

Reject
requests coming from an unknown person that ask for help via emails.

Do
not click on any link in a suspicious email sent by an unknown
sender.

Do
not open attachment of emails sent by unknown senders.

Email
spoofing is widely used by the attackers to trick victims. So, if
you get an email containing email address of a friend or relative in
the sender fiend but looks suspicious, do not click on any link in
the email or open any attachment.

If
you receive an email offering a foreign lottery or sweepstakes,
money from an unknown user or funds from foreign country in return
of divulging personal information, delete the email immediately.

If
an email looks suspicious, confirm with the sender offline before
responding to the email. It is better to be safe than sorry.

If
you think an email is a spam, mark it so in the spam filter. Spam
filters often use machine learning in detecting spam emails. By
marking an email as spam helps the spam filters to learn about spam
emails in a better way and detect future spams better.

Last
but not the least, keep your operating system, browser and other
commonly used software updated with recent security patches.
Configure proper firewalls. Use anti-malware solutions from trusted
sources and keep them updated regularly.

Many of us
might have heard the terms AI, machine learning and deep learning.
Some of us also might have heard that they can have a big impact on
cyber security. What are AI, machine learning and deep learning
actually? And, how can they improve cyber security? In this article
we would discuss about that.

What
is Artificial Intelligence ?

Artificial
Intelligence or AI is the science and engineering of making a machine
intelligent, so that it can perform tasks similar to those that
require human intelligence. It can give machines the ability to learn
without being explicitly programmed. For example, a machine can know
about the facts about a specific situation and based upon that it can
decide upon its action to achieve a goal. It can look at the previous
steps of a game of chess and decide on what can be the best possible
next move. Or a machine can know about the general facts of the
world, facts about a particular situation and a statement of a goal
and it can plan a strategy or sequence of actions using AI to achieve
its goal.

Artificial
Intelligence is widely used in many areas, like:

Playing
games like chess

Speech
Recognition

Understanding
natural language

Computer
vision

Building
expert systems

What
is Machine Learning ?

Machine
learning is a sub-field of AI that gives machines the ability to
learn from data and make predictions based on that. For example, a
machine can use machine learning to learn from a set of inputs and
its corresponding outputs and based on that it can predict the output
of a new input data. Applications of machine learning includes spam
filtering, Optical Character Recognition, search engines, computer
vision and cyber security.

There can
be three types of machine learning algorithms:

Supervised
Learning

Unsupervised
Learning

Reinforcement
Learning

What is Supervised
Learning ?

In
this technique, the machine is provided with a set of inputs and its
corresponding outputs. The machine uses supervised learning to obtain
general rules that map the inputs with the outputs. The algorithm
typically iteratively makes predictions on the training input data
and adjusts itself from the feedback. It stops when an acceptable
level of performance is achieved. This is called supervised learning
because the training dataset supervises the learning process.

What is Unsupervised
Learning ?

In unsupervised learning, the machine is provided with only the input
data with no labels on them. The goal is to learn the underlying
structure or distribution in the data and predict outcome of similar
input data based on that. For example, it can extract features on the
input dataset and divide them into similarity groups, so that when a
new data comes, it can predict its output based on the information. A
common application can be in an ecommerce website, where machine
learning can be used to divide the customers into segments and draw
inferences based on that to use it in a marketing campaign.

In many applications,
semi-supervised learning algorithm is used, where the machine uses
both supervised and unsupervised algorithms to learn from the
training datasets.

What is Reinforcement
Learning ?

In reinforcement learning, the machine interacts with the dynamic
environment to perform a certain goal. A good example can be playing
a game of chess, where the machine can use machine learning to learn
from the previous steps and decide on its next move. And, based on
the user’s next move, it can again decide on its next action.

What
is Deep Learning ?

There are several approaches
of machine learning algorithms. One such approach is to use
artificial neural network. An artificial neural network is a machine
learning algorithm that is inspired by the structure and functional
aspects of biological neural networks. The neurons in the neural
network are connected to each other, through which data can
propagate. In a simple case, there can be two sets of neurons –
ones that receive the input signals and ones that send the output
signals. Deep Learning uses several layers between the input layer
and the output layer.

In Deep Learning, when an
input is given to the input layer, the input layer processes the
input and passes on a modified version of the input to the next
layer. Each neuron in the neural network assigns a weighting to its
input and the final output is determined by the total of those
weightings.

A simple example of using deep
learning can be recognizing a stop sign from an image. Attributes of
the stop sign image like its octagonal shape, red color, letters
used, size of the traffic sign etc are examined by the neurons and
based on that each neuron gives a weighting. Depending on the
weightings, the deep learning algorithm can come up with a
probability vector whether the image can be a stop sign.

So, to summarize, machine
learning is evolved from a sub-field of artificial intelligence. And,
a sub-field of machine learning is deep learning. Falling hardware
prices and the development of GPUs have contributed to the
development of Deep Learning.

AI,
Machine Learning, Deep Learning and Cyber Security

Let’s try to understand, how
AI, machine learning and deep learning can be used to improve cyber
security.

Traditional
Malware Detection Techniques

There are several ways malware
are detected using traditional anti-malware programs. Some most
common of them are:

Signature
Based Detection – In
this technique, an unidentified piece of code is compared with a
database of signatures of known malware. If a match is found, the new
piece of code is identified as a malware. But, the problem with this
approach is, signature based detection cannot detect new malware the
signatures of which are not updated with the database. Moreover,
sometimes it takes months to release signatures of newly found
malware. And so, this technique is extremely inefficient in detecting
malware especially Zero Day Threats and APTs.

Heuristic
Techniques
– In this technique, the unidentified piece of code is made to run
and the behavioral characteristics of the new code is observed.
Malware behavior is typically observed at runtime, once the code
starts execution. So, the prevention mechanism gets delayed which
makes it ineffective at times.

Sandbox
–
In sandbox solutions, the unidentified code is executed in a virtual
environment and its behavior is observed to determine whether it can
be a malware. This process is time consuming and ineffective for
real-time protection. Moreover, the malware can stall its execution
once it detects a virtual environment, which makes its detection
challenging at times.

Malware
Detection using AI, Machine Learning and Deep Learning

Machine Learning can be used
in more effective malware detection. In this technique, a file’s
behavior is observed to detect whether it can contain a malware. This
is done by training the machine learning algorithm with the help of
some manually selected features, that can determine whether the file
is malicious or legitimate.

This is no doubt a better
approach, but it has its own disadvantages. This technique requires
human intervention to teach the machine the parameters, variables or
features based on which malware detection can be done. And, to
address that an advanced technique is used that uses deep learning to
detect malware.

In this technique, a dataset
of huge number of malicious and legitimate files are fed into the
machine. The machine uses deep learning to self-learn the features
necessary for malware detection. When the learning completes, the
machine can detect any malicious file type. Also, threats can be
detected in real time and potential threats can be blocked. This
technique can be quite effective in detecting even Zero Day threats
and APTs.

AI, machine learning and Deep
Learning technologies are evolving day by day. And, if used properly,
they can improve cyber security up to a great extent.